You have done your homework and have identified the security needs to protect your business. You put together the business case and presented it to your executives, who approved the spending. Now, it is time to plan the implementation and you have to communicate with your business stakeholders. How can you convince them that the additional protection you are adding to the ecosystem outweighs the change to their business process? There are three key components that can help you position security changes with the business in a way that lowers the impact to your stakeholders and helps build credibility for your security initiatives.
1. Engage the business early and often
We all know about partnering with the business. First and foremost, you should start with the why: why is the company asking them to change? Sharing the business context and perhaps a real world example, if available, will demonstrate the value of the security change. Next, the more involved your stakeholders are with your plans, the more comfortable they will feel that they have had input. They understand the context of our choices, and they are prepared for the upcoming changes. Depending on the initiative, this could span your top leaders, the influencers and a few people that have piloted your solution and can add credibility to its upcoming implementation.
2. Understand all the use cases, especially the outliers
I think this is the critical component for success. You have your business involved in the plan and they know your timeline. You must take the time to understand all the use cases that exist for your business. With changes that impact the end-users and their processes (which means productivity to them), we have to plan for more than the 80%, or you will miss a critical use case that will mean frustration for the business and interruption to both you and your user as you solve the impact.
How will the security change impact finance? It is probably very different from how it will affect your customer support function. If you are in an engineering industry, your R&D users will have separate use cases. What about any compliance issues? Talking to your Legal department ahead of time will help outline those. Even more important, don’t forget about your field people. Remote users have special requirements that need to be considered in almost every project. This work speaks to the “90% planning, 10% execution” methodology. If you understand and proactively plan to address the major use cases, you will minimize most of the user frustration during implementation. Finally, don’t forget the outliers. You have a small team in R&D that runs one of your most critical processes. While they don’t impact many systems or users, any disruption in that system could cause serious productivity issues; make sure you are partnering with them early on, so that their concerns are considered during the design phase.
3. Follow up after implementation to ensure the outcomes were as planned
Now, you have communicated and included your stakeholders in your planning, as well as designed your solution based on use cases. It is time for implementation. Most projects have “cut over” coverage during their implementation, such as a war room for a few days to a week to ensure users are working as expected. To truly build credibility with your stakeholders, however, plan on connecting with your users post go live. Following up with them at 30 and 60 days post implementation will show that you are driven by the relationship and the health of the business. Make sure to ask for stark feedback and inject that feedback into future enhancements and releases.
Don’t “set it and forget it”
Most business units just want to understand what is happening in their productivity ecosystem. An effective security lead ensures that the business is educated on why we are approaching certain solutions (e.g., what benefit/protection will it provide?). Then, listening to their experiences, documenting their concerns, and including that in your design, will ensure a strong implementation and a high adoption rate. Finally, follow up with your stakeholders and make sure you met their expectations. It’s a win-win-win situation for your business, for your users, and for your security program. In an upcoming post, I will discuss how to recover from ‘non-perfect’ security implementations.
